Re: Oops while checking file system auditing
On Tue, 2005-05-24 at 15:19 -0400, Steve Grubb wrote:
On Tuesday 24 May 2005 14:06, Timothy R. Chavez wrote:
> Can you also provide architecture, UP/SMP, etc
I just upgraded to the .48 kernel and did this:
-a entry,always -S mkdir
-a entry,always -S kill
-w /etc/passwd -k fk_passwd -p rwea
-w /var/run/dbus/system_bus_socket -k dbus-test -p rwea
This kills the machine dead...well except for the blinking numlock & caps lock
lights.
so far, i am unable to reproduce on audit.48 up or smp.
[root@localhost ~]# auditctl -l
AUDIT_LIST: entry always syscall=mkdir
AUDIT_LIST: entry always syscall=kill
AUDIT_WATCH_LIST: dev=8:2, path=/etc/passwd, filterkey=fk_passwd,
perms=15, valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/var/run/dbus/system_bus_socket,
filterkey=, perms=15, valid=0
u[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.9-5.0.3.EL.audit.48smp #1 SMP Mon May 23
16:33:18 EDT 2005 i686 i686 i386 GNU/Linux
[root@localhost ~]# auditctl -l
AUDIT_LIST: entry always syscall=mkdir
AUDIT_LIST: entry always syscall=kill
AUDIT_WATCH_LIST: dev=8:2, path=/etc/passwd, filterkey=, perms=15,
valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/var/run/dbus/system_bus_socket,
filterkey=dbus-test, perms=15, valid=0
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.9-5.0.3.EL.audit.48 #1 Mon May 23
16:24:01 EDT 2005 i686 i686 i386 GNU/Linux
steve, can you reproduce it reliably?
rob.